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(54) Updating domains in a postage evidencing system 

(57) A postage evidencing system including a plu- 
rality of domains for partitioning a population of postage 
meters according to an operating characteristic, a data 
center, a postage meter in operative communication 
with the data center and a printer in operative communi- 
cation with the postage meter. The postage meter is ini- 
tialized to operate in a particular domain while the 
printer is capable of operating in each of the plurality of 
domains. To update or enable a domain in the printer, 
the postage meter transmits an indication of the partic- 
ular domain to the data center. Then, the data center 
encrypts the indication and transmits the indication to 
the postage meter which in turn forwards the encrypted 
indication to the printer. The printer decrypts the 
encrypted indication and using the indication enables a 
respective domain in the printer corresponding to the 
particular domain of the postage meter. A method for 
updating domains in a postage evidencing system is 
also provided. 
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Description 



This application is related to our (ref- E612) 
copending European Patent Application Serial No. 

— . filed concurrently herewith, and 

entitled SYNCHRONIZATION OF CRYPTOGRAPHIC 
KEYS BETWEEN TWO MODULES OF A DISTRIB- 
UTED SYSTEM. 

This invention relates to value dispensing systems 
More particularly, this invention is directed to a postage 
evidencing system comprising a mailing machine base 
a secure accounting meter detachably mounted to the 
base and a printer also detachably mounted to the base 
wherein the meter and the printer are manufactured to 
be interchangeable while still providing for secure 
mutual authentication. 

One example of a value printing system is a post- 
age evidencing system including an electronic postage 
meter and a printer for printing a postal indicia on an 
envelope or other mailpiece. Electronic postage meters 
for dispensing postage and accounting for the amount 
of postage used are well known in the art. The meter 
supphes evidence of the postage dispensed by printing 
indicia which indicates the value of the postage on an 
envelope or the like. The typical postage meter stores 
accounting information concerning its usage in a variety 
of registers. An ascending register tracks the total 
amount of postage dispensed by the meter over its life- 
time. That is. the ascending register is incremented by 
the amount of postage dispensed after each transac- 
tion. A descending register tracks the amount of post- 
age available for use. Thus, the descending register is 
decremented by the amount of postage dispensed after 
each transaction. When the descending register has 
been decremented to some value insufficient for dis- 
pensing postage, then the postage meter inhibits further 
printing of indicia until the descending register is resup- 
plied with funds. H 
Traditionally, the postage meter and the printer 
have been located within a single secure housing 
Examples of this type of postage evidencing system are 
the PostPerfect™ and Personal Post Office™ available 
from Pitney Bowes. Inc. of Stamford, Connecticut USA 
In this environment, the communications between the 
postage meter and the printer may be either secure or 
nonsecure. However, recently efforts have been under- 
taken to provide a postage meter and a printer which 
are physically separated from each other. Thus in this 
type of postage evidencing system, the postage meter 
and the printer are no longer contained within the same 
secure housing and the communication lines between 
the postage meter and the printer are generally nonse- 
cure. 

Using nonsecure communication lines between the 
postage meter and the printer creates a risk of loss of 
postal funds through fraud. For example, when data 
necessary to print a valid postal indicia is transferred 
over the nonsecure communication lines from the post- 



age meter to the printer, it is susceptible to interception 
capture and analysis. If this occurs, then the data may 
be retransmitted at a latter time back to the printer in an 
attempt to fool the printer into believing that it is commu- 
s nicatng with a valid postage meter. If successful the 
result would be a fraudulent postage indicia printed on a 
ma.lp.ece without the postage meter accounting for the 
value of the postage indicia. 

Generally, it is known to employ secret crypto- 
io graphic keys in postage evidencing systems to prevent 
such fraudulent practices. This is accomplished by hav- 
ing the postage meter and the printer authenticate each 
other prior to any printing taking place. One such sys- 
„ w m n S ,! eSCribed Eur0pean Patent Application Serial 
ISJSf 1 1 1 ' fil6d ° n December 20 - and entitled 
METHOD AND APPARATUS FOR SECURELY 
AUTHORIZING PERFORMANCE OF A FUNCTION IN 
A DISTRIBUTED SYSTEM SUCH AS A POSTAGE 
METER. In summary, this application provides a post- 
so age evidencing system including a meter and a printer 
each having an identical set of authentication keys 
stored in their respective memories. On a random basis 
the printer and the meter in secret fashion coordinate 
the selection of which authentication key will be used to 
25 perform mutual authentication. Importantly, if a valid 
mutual authentication is to be obtained, it is necessary 
that the same key is selected for use by the meter and 
the printer. 

Although this system generally works well, it suffers 
so from certain disadvantages and drawbacks. For exam- 
ple, the set of authentication keys are the same for 
every postage evidencing system. That is, the set of 
authentication keys are universal in that they will oper- 
ate with any postage evidencing system. Thus if one 
35 postage evidencing system is compromised, then the 
other postage evidencing systems are also compro- 
rrtised. 

To address this problem, other prior art postage evi- 
dencing systems have proposed a different system 
40 which provides a unique set of authentication keys for 
each postage meter and printer combination. In this 
arrangement, if one postage evidencing system is com- 
promised, then the other postage evidencing systems 
are not compromised. However, the postage meter and 
45 the printer are dedicated to each other because each 
particular postage meter is tied to only one printer and 
vice versa. Thus, interchangeability of components 
such as using the same postage meter with a plurality of 
different printers or replacing a defective printer in the 
so postage evidencing system, is difficult due to the neces- 
sity of reconfiguring the meter and the printer to each 
other. This would require updating of the authentication 
key sets which would increase costs and operating 
expenses. 

Therefore, there is a need for a postage evidencing 
system that reduces the exposure of universal keys and 
allows for the interchangeability of postage meters with 
printers. 
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Accordingly, it is an object of the present invention 
to provide a postage evidencing system with improved 
security and interchangeably which substantially over- 
comes the problems associated with the prior art. 

In accomplishing this and other objects there is pro- 
vided a postage evidencing system including a plurality 
of domains for partitioning a population of postage 
meters according to an operating characteristic, a data 
center, a postage meter in operative communication 
with the data center and a printer in operative communi- 
cation with the postage meter. The postage meter is ini- 
tialized to operate in a particular domain while the 
printer is capable of operating in each of the plurality of 
domains. To update or enable a domain in the printer, 
the postage meter transmits an indication of the partic- 
ular domain to the data center. Then, the data center 
encrypts the indication and transmits the indication to 
the postage meter which in turn forwards the encrypted 
indication to the printer. The printer decrypts the 
encrypted indication and using the indication enables a 
respective domain in the printer corresponding to the 
particular domain of the postage meter. 

In accomplishing this and other objects there is pro- 
vided a corresponding method for updating the domains 
in a postage evidencing system. 

Therefore, it should now be apparent that the inven- 
tion substantially achieves all the above objects and 
advantages. Additional objects and advantages of the 
invention will be set forth in the description which fol- 
lows, and in part will be obvious from the description, or 
may be learned by practice of the invention. Moreover, 
the objects and advantages of the invention may be 
realized and obtained by means of the instrumentalities 
and combinations particularly pointed out in the 
appended claims. 

The accompanying drawings, which are incorpo- 
rated in and constitute a part of the specification, illus- 
trate presently preferred embodiments of the invention, 
and together with the general description given above 
and the detailed description of the preferred embodi- 
ments given below, serve to explain the principles of the 
invention. As shown through out the drawings, like refer- 
ence numerals designate like or corresponding parts. 

Fig. 1 is a schematic representation of a postage 
evidencing system including a postage meter and a 
printer in accordance with the present invention. 
Fig. 2 is a table showing a complete set of printer 
specific keys, one for every domain, which have 
been loaded into a memory of the printer during 
manufacture in accordance with the present inven- 
tion. 

Fig. 3 is a flow chart showing a routine to synchro- 
nize the printer with the postage meter in the field in 
accordance with the present invention. 
Fig. 4 is a flow chart showing a routine to add a 
domain to the printer in the field in accordance with 
the present invention. 



Fig. 5 is a flow chart showing a routine to derive a 
key necessary to synchronize the printer with the 
postage meter in the field in accordance with the 
present invention. 
5 Fig. 6 is a flow chart showing a routine to mutually 

authenticate a communication session between the 
printer and the postage meter prior to printing 
postal indicia in accordance with the present inven- 
tion. 

10 

Referring to Fig. 1 , a postage evidencing system 
TOO in accordance with a first embodiment of the inven- 
tion is shown. The postage evidencing system 100 
includes a mailing machine base 110, a postage meter 

is 120 and a printer 130. 

The mailing machine base 110 includes a variety of 
different modules (not shown) where each module per- 
forms a different task on a mailpiece (not shown), such 
as: singulating (separating the mailpieces one at a time 

20 from a stack of mailpieces), weighing, moistening/seal- 
ing (wetting and closing the glued flap of an envelope) 
and transporting the mailpiece through the modules. 
However, the exact configuration of each mailing 
machine is particular to the needs of the user. Addition- 
's ally, the mailing machine base 110 includes an interface 
(not shown) of any conventional design, such as an 
LCD display and keypad, for communicating information 
to the user and receiving inputs from the user. The mail- 
ing machine base 110 further includes a controller 112 

30 which oversees the operation of all the modules of the 
mailing machine base 1 10. Since a detailed description 
of the mailing machine base 1 00 is not necessary for an 
understanding of the present invention, its description 
will be limited for the sake of conciseness. 

35 The postage meter 120 is detachably mounted to 
the mailing machine base 110 by any conventional 
structure (not shown) and includes a controller 122 hav- 
ing a memory 124, a security application specific inte- 
grated circuit (ASIC) 126 having suitable memory and 

40 logic (not shown) and a microprocessor 1 28. The con- 
troller 122 is in operative communication with the con- 
troller 112 of the mailing machine base 110 over 
suitable communication lines. Additionally, the controller 
122 of the postage meter 120 is in operative communi- 

45 cation with a remote data center 10 over suitable com- 
munication lines, such as a telephone line 20. The data 
center 10 communicates with the postage meter 120 for 
the purposes of remote inspection of accounting regis- 
ters (not shown), downloading of postal funds and other 

so purposes described in more detail below. 

The printer 130 is also detachably mounted to the 
mailing machine base 110 by any conventional struc- 
ture (not shown) and includes a print mechanism 136 
and controller 132 having a memory 134 and a micro- 

55 processor 138. Alternatively, the memory 134 could be 
located within the microprocessor 138. The controller 
132 is in operative communication with the controller 
122 of the postage meter 120 and the print mechanism 
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136 over suitable communication lines. The print mech- 
anism 136 prints a postal indicia (not shown) on the 
mailpiece (not shown) in response to instructions from 
the postage meter 120 which accounts for the value of 
the postage dispensed in conventional fashion. The 
print mechanism 136 may be of any suitable design, 
such as: rotary drum, flat impression die, thermal trans- 
fer, Inkjet, xerographic or the like. 

To provide for security of postal funds and to pre- 
vent fraud, the postage meter 120 and the printer 130 
are provided with secret cryptographic keys which are 
necessary for mutual authentication. Stored within the 
memory 124, preferably of the non-volatile type, of the 
postage meter 120 is a print head/meter universal key 
K phm x. To limit exposure of the universal key K phm x to 
being compromised, the world is geographically split 
into multiple domains each with its own separate univer- 
sal key K phm x. In the preferred embodiment, the world 
is divided into thirteen (13) domains. Thus, a unique 
universal key K phm x exists for each domain. For exam- 
ple, a unique universal key K phm 1 is provided for 
domain #1 , a unique universal key K phm 2 is provided for 
domain #2, and so on. However, only one universal key 
K phm x is provided in each postage meter 120 depend- 
ing upon the domain in which the postage meter 120 is 
authorized for use by the local postal authority. There- 
fore, if the first domain universal key K phm 1 is compro- 
mised, then postage meters 120 in domain #2 through 
domain #13 will not be compromised. Additionally, a test 
domain used for diagnostics and manufacturing testing 
is also provided having a unique universal key K phm test. 

For added security, the universal key K phm x is 
stored in memory 124 in encrypted form using an 
embedded security key K^. Thus, the meter 120 must 
decrypt the universal key K phm x prior to use. in the pre- 
ferred embodiment, the embedded security key K es is 
only utilized for decrypting the universal key K phm x and 
is therefore distinct from the other keys used with the 
postage evidencing system 100. A more detailed 
description of this procedure is provided below. 

In similar fashion, the printer 130 is also provided 
with secret cryptographic keys which are necessary for 
mutual authentication. Referring to Figs. 1 and 2, stored 
within the memory 134 of the printer 130 is a table 135, 
as shown in Fig. 2, that contains a complete set of 
printer specific keys K ph x % one for every domain, which 
have been loaded into the printer 130 during manufac- 
ture. Thus, the set of keys K ph x includes K ph 1 through 
K ph 13 and K ph test which correspond to the geographic 
domains discussed above with respect to the postage 
meter 120. Also stored within the memory 134 of the 
printer 130 is a serial number N ph which is a unique 
number for every printer 130. The set of keys K ph x are 
derived during manufacture by encrypting the serial 
number N ph using the universal keys K phm x according 
to the following equation: 

K ph x = DES(N ph ;K phm x) (1) 



6 

where DES represents a Data Encryption Standard 
encryption engine, the serial number N ph represents 
the message to be encrypted and the key K phm x repre- 
sents the cryptographic key used to perform the encryp- 

5 tion. Thus, a unique set of printer keys K ph x exists for 
each printer 130 which correspond to the geographic 
domains. For example, the key K ph l is unique for the 
printer 130 and is provided for domain #1 by deriving it 
from equation (1) through appropriate substitution: 

io K ph 1 = DES {N ph ; K phm 1 ) . The remaining keys K ph x 
are derived in similar fashion. 

By providing the printer 130 with the set of printer 
keys K ph x, one for every domain, it should be appreci- 
ated that the printer 130 as manufactured has the capa- 

75 bilrty to operate in any domain. This is achieved by 
shipping the printer 130 with only the test domain ena- 
bled, as indicated in the table of Fig. 2, and then syn- 
chronizing the printer 130 with a postage meter 120 
located within a particular domain in the field. This is in 

20 contrast to the meter 120 which is only provided with 
one universal key K phm x depending upon the domain 
where the postage meter 1 20 is authorized for use by a 
governing postal authority. 

The mailing machine base controller 112, the post- 
25 age meter controller 122 and the printer controller 132 
all work cooperatively to execute a plurality of routines, 
described in detail below, in accordance with the 
present invention. Thus, they contain suitable software 
and hardware to accomplish those functions described 

30 in the routines. With respect to some functions, it is a 
matter of design choice where they can be imple- 
mented. With respect to other functions, it is important 
they be implemented in a particular controller 112, 122 
or 132. This will be evident to those skilled in the art 

35 from the detailed descriptions below. 

To synchronize the printer 130 with the postage 
meter 120 in the field, the postage evidencing system 
100 executes a routine 300 as shown in Fig. 3. Refer- 
ring primarily to Fig. 3 while referencing the structure of 

40 Fig. 1, at 302, the postage meter 120 and the printer 
130 are powered up and each performs self diagnostics 
to ensure that normal operating conditions exist. At 304, 
a determination is made whether the domain of the 
meter 120 has been enabled in the printer 130. If yes, 

45 then at 306 the postage evidencing system 100 begins 
normal operations and proceeds to execute a key syn- 
chronization routine 500 to ensure that the meter 120 is 
communicating with a valid printer 130 and that the 
printer 130 is communication with a valid meter 120 

so prior to printing any postal indicia. However, if at 304 the 
answer is no, then at 308 a determination is made 
whether the test domain of the printer 130 is enabled. If 
yes, then at 310, the domain in the printer 130 which 
corresponds to the domain of the meter 120 is enabled. 

55 Then, at 312 the test domain is permanently disabled 
before proceeding to normal operations at 306. How- 
ever, if at 308 the answer is no, then an add domain rou- 
tine 400 is executed. 
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Referring primarily to Fig. 5 while referencing the 
structure of Fig. 1, a description of the key synchroniza- 
tion routine 500 will now be provided- At 502, the serial 
number N ph of the printer 130 is sent to the security 
ASIC 126. Next, at 504 the encrypted universal key 5 
K phm x is brought from the memory 124 to the security 
ASIC 126. Next, at 506 the encrypted universal key 
K phm x is decrypted using the security key K es which is 
embedded within the security ASIC 126. Thus, the 
security key K es is masked within the hardware of the w 
security ASIC 126 and generally not discernible to the 
outside world. Next, at 508 key K ph x is derived within 
the security ASIC 126 using equation (1). It should now 
be apparent to those skilled in the art that keys have 
been synchronized between the meter 120 and the 75 
printer 130 without transmitting the keys themselves. 
Furthermore, the keys used are unique to that meter 
120 and printer 130 combination only. That is, since the 
serial number N ph of the printer 1 30 is unique to each 
printer 130 in the preferred embodiment so as to pro- 20 
vide the greatest degree of security, no two keys K ph x 
are the same. In summary, the meter 130 has the capa- 
bility to make a key K ph x which is specific to the partic- 
ular printer 130 with which it is in communication. 
Therefore, the interchangeably of the meters 120 with 2 s 
the printers 130 is provided for. Once the keys have 
been synchronized, the postage evidencing system 100 
then proceeds to execute a mutual session authentica- 
tion routine 600. 

It should now be apparent to those skilled in the art 30 
that the present invention provides for secure communi- 
cations and interchangeably between the postage 
meter 120 and the printer 130. For example, if the 
printer 130 become defective and needs to be replaced 
in the field, then a new printer 1 30 could be shipped and 35 
installed by a service person without regard to the 
domain that the new printer 130 is being shipped into or 
the particular meter 120 that the new printer 130 will be 
interfaced to. This is because upon the first communica- 
tion between the meter 120 and the printer 130, the 40 
meter 120 will derive the appropriate key K ph x which is 
particular to the new printer 130 and enable the appro- 
priate domain in the new printer 130. As another exam- 
pie, if a new meter 120 is installed for use with the 
existing printer 1 30, then the new meter will also derive 45 
the appropriate key K ph x which is particular to the exist- 
ing printer 1 30 just as the replaced meter 1 20 had done. 

In the preferred embodiment, it is desirable not to 
allow the meter 120 to change the domain which is ena- 
bled within the printer 130 other than at the time when so 
the printer 130 is first placed into service and the 
domain is changed from the test domain as described 
above in the routine 300 in Fig. 3. Therefore, the post- 
age evidencing system 100 must communicate securely 
with the remote data center 1 0 to obtain authorization to ss 
enable an additional domain within the printer 130. In 
this manner, an added level of security is achieved. Oth- 
erwise, the exposure to fraud if a universal key K phm x 



were to become compromised would be far greater. For 
example, if the meter 120 were permitted to change the 
domain of the printer 130, then a compromised univer- 
sal key for domain #1 K phm l would lead to a greater 
amount of fraud. This is because the compromised uni- 
versal key for domain #1 K phm 1 could be loaded into 
other meters 120 located outside of domain #1. Then 
these other meters 120, in addition to those located in 
domain #1 , would also be able to print fraudulent postal 
indicias if the other meters 120 had the capability to 
change the domain of their associated printer 130. 
Therefore, the risk of fraud would greatly increase. 
Moreover, the manufacturer would be compelled not 
only to recall those printers 130 located in domain #1, 
but also in every other domain. This would prove to be 
administratively complex and costly. 

Base on the above factors, the meter 120 is not 
allowed to change the domain of the printer 1 30 once 
the printer 130 has been initialized for the first time. 
Referring primarily to Fig. 4 while referencing the struc- 
ture of Fig. 1, a description of the add domain routine 
400 will now be provided. At 402, the user is prompted 
by the mailing machine base 1 10 to initiate communica- 
tion with the data center 10 for the purpose of adding a 
domain to the printer 130. Next, at 404, the meter 120 
initiates communication with the data center 1 0 via tele- 
phone line 20. Next, at 406, the meter 120 obtains the 
serial number N ph from the printer 130 and assembles 
a first message which includes the serial number N pht a 
meter serial number N m which is a unique number for 
each meter 1 20 and the domain number. This first mes- 
sage is transmitted to the data center 10 by the meter 
120. Next, at 408, the data center 10 makes a determi- 
nation whether the meter 120 is valid. This involves: (i) 
looking up in a database to see if the meter serial 
number N m which has been received has been placed 
into service and is active; and (ii) comparing the domain 
number in the database associated with the meter serial 
number N m with the domain number which has been 
received to see if they match. To be valid, the meter 1 20 
must survive both inquiries. If at 408 the answer is no, 
then at 410 a failure occurs and the user is instructed to 
contact the data center 10 before power resetting the 
postage evidencing device 100. On the other hand, if at 
408 that answer is yes, then at 412 the data center 
transmits a second message to the meter 120 which 
includes the serial number N ph and the domain number. 
This second message is encrypted using a remote com- 
munications key K d stored in the data center 10. In the 
preferred embodiment, the remote communications key 
K d is only utilized for remote communications and is 
therefore distinct from the other keys used with the post- 
age evidencing system 100. That is, there is no overlap 
between the remote communications key K d , the secu- 
rity key K os , the universal keys K phm x and the printer 
keys K ph x. At 414, the meter 120 forwards the second 
message to the printer 130. Next, at 416, the printer 130 
decrypts the second message using the same key K d 
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stored in the memory 134 of the printer 130 and makes 
a determination whether the received serial number N ph 
matches the actual serial number N ph of the printer 130. 
If no, then the routine 400 proceeds to 410 where a fail- 
ure results. If yes, then at 418 the domain correspond- 5 
ing to the received domain number is enabled. Next, the 
routine 400 proceeds to 306 and operation continues 
accordingly. In the preferred embodiment, domains are 
never disabled (except for the test domain). Thus, the 
domain that is enabled according to the routine 400 is in 10 
addition to any other domains which have been previ- 
ously enabled. Thus, the table 135 as shown in Fig. 2 
will be updated accordingly with an "Enable" in the sec- 
ond column indicating that the domain is enabled and a 
"Disable" indicating those domains that are not enabled. 75 

Referring primarily to Fig. 6 while referencing the 
structure of Fig. 1, a description of the mutual session 
authentication routine 600 will now be provided. To 
ensure that postal funds are appropriately accounted for 
and that fraudulent postal indicias are not produced, the 20 
postage meter 120 and the printer 130 initiate the 
mutual authentication routine 600 prior to any printing 
taking place. At 602, the controller 112 of the mailing 
machine base 110 sends an initialize session signal to 
the meter 120 in response to the occurrence of one of a 25 
plurality of predetermined events, such as: the start of a 
batch run of envelopes or after a predetermined number 
(for example. 200) of envelopes within the batch run. 
Next, at 604 the meter forwards the initialize session 
signal to the printer 130. Next, at 606 the printer 130 30 
generates a first session nonce SN p which is a random 
number generated in software in the printer controller 
132. Next, at 608 the printer 130 sends the first session 
nonce SN p to the meter 120. Next, at 610 the meter 120 
derives a session key K s according to the equation: 35 



Ks = DES (SN p ,K ph x) 



(2) 



where DES represents the Data Encryption Standard 
encryption engine, the first session nonce SN p repre- 40 
sents the message to be encrypted using the key K ph x 
which is the synchronized key obtained as described 
above. Next, at 612 the meter 120 generates a second 
session nonce SN m which is a random number gener- 
ated in the meter controller 122. Next, at 614 the meter 45 
encrypts the first session nonce SN p and the second 
session nonce SN m using the key Ks and sends the 
resulting message to the printer 130. Next, at 616 the 
printer 130 derives the session key K s independently 
from the meter 120 using equation (2). Next, at 618 the so 
printer 130 decrypts the encrypted message sent from 
the meter 120 using the key Ks. Next, at 620 the printer 
130 makes a determination whether the decrypted first 
session nonce SN p that was received and the first ses- 
sion nonce SN p that was sent match. If no, then at 622 ss 
a failure results and printing is disabled and the user is 
instructed to power reset the postage evidencing sys- 
tem 100. If yes, then at 624 the printer concludes that 



the meter 120 is valid. Next, at 626 the printer 130 
sends the decrypted second session nonce SN m to the 
meter 120. Next, at 628 the meter 120 makes a determi- 
nation whether the decrypted second session nonce 
SN m that was received and the second session nonce 
SN m that was sent match. If no, then the routine pro- 
ceeds to 622 indicating a failure has occurred. If yes, 
then at 630 the meter 1 20 concludes that the printer 1 30 
is valid. Next, since the meter 120 and the printer 130 
have successfully authenticated each other, at 632 the 
postage evidencing system 100 is to print a postal indi- 
cia and account for the postage dispensed. Generally, 
this is accomplished in a conventional manner by gener- 
ating a secure token in the meter 120 which contains 
information necessary to print the postal indicia and 
communicating that token to the printer 130. Since this 
procedure is not necessary for an understanding of the 
present invention, no further description will be pro- 
vided. 

Those skilled in the art will now appreciate that 
since the set of printer keys K^ are unique to each 
printer 130 and each respective domain, a high degree 
of security is maintained. For example, if key K ph l is 
compromised for a particular printer 130, then the secu- 
rity breach is confined to that particular printer 130 in 
the domain in which it is operating. Thus, the printers 
130 and the postage meters 120 operating in the same 
domain and in other domains are not compromised. 

Many features of the preferred embodiment repre- 
sent design choices selected to best exploit the inven- 
tive concept as implemented in a postage evidencing 
device. However, those skilled in the art will recognize 
that various modifications can be made without depart- 
ing from the spirit of the present invention. For example, 
the domains could be partitioned in a number of differ- 
ent manners, such as: by customer, by country, by cus- 
tomer and by country or any other predetermined 
segmentation that makes sense given the particular 
application. As another example, the placement of the 
universal key could be in the printer while the specific or 
unique keys were in the meter. In other words, a 
reversal of the operating relationship described above. 
As still another example, another encryption engine 
other than DES, such as RSA, could be substituted. 

As yet another example, those skilled in the art will 
recognize that the mailing machine base controller 1 12, 
the meter controller 122 and the printer controller 132 
can be of any conventional design incorporating appro- 
priate hardware and software. As still another example, 
those skilled in the art will recognized that the routine 
400 could be utilized to not only enable subsequent 
domains but also the first domain when the printer 130 
is first initialized by a meter 120. 

Therefore, the inventive concept in Hs broader 
aspects is not limited to the specific details of the pre- 
ferred embodiment but is defined by the appended 
claims and their equivalents. 
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Claims 

1. A postage evidencing system, comprising: 

a plurality of domains for partitioning a popula- 
tion of postage meters according to an operat- 
ing characteristic; 
a data center; 

a postage meter in operative communication 
with the data center, the postage meter initial- 
ized to operate in a particular domain; and 
a printer in operative communication with the 
postage meter, the printer capable of operating 
in each of the plurality of domains; and 
wherein: 

the postage meter transmits an indication of 
the particular domain to the data center; 
the data center encrypts the indication and 
transmits the indication to the postage meter; 
the postage meter transmits the encrypted indi- 
cation to the printer; 

the printer decrypts the encrypted indication 
and using the indication enables a respective 
domain in the printer corresponding to the par- 
ticular domain of the postage meter. 



2. 



The postage 
wherein: 



evidencing system of claim 1, 



the postage meter transmits an identifier 
uniquely associated with the postage meter to 
the data center; and 

using the postage meter unique identifier, the 
data center verifies that the postage meter is a 
valid postage meter before transmitting the 
encrypted indication to the postage meter. 



The postage 
wherein: 



evidencing system of claim 2, 



the printer transmits an identifier uniquely 
associated with the printer to the postage 
meter; 

the postage meter transmits the printer unique 
identifier to the data center; 
the data center encrypts the printer unique 
identifier and transmits the printer unique iden- 
tifier to the postage meter; 
the postage meter transmits the encrypted 
printer unique identifier to the printer; 
the printer decrypts the encrypted printer 
unique identifier and compares the printer 
unique identifier which the printer transmitted 
to the printer unique identifier which the printer 
received to determine if there is a match before 
enabling the respective domain in the printer 
corresponding to the particular domain of the 
postage meter. 
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4. A method of updating domains in a postage evi- 
dencing system including a data center, a postage 
meter in operative communication with the data 
center and a printer in operative communication 
with the postage meter, the method comprising the 
step(s) of: 

establishing a plurality of domains for partition- 
ing a population of postage meters according 
to an operating characteristic; 
initializing a postage meter to operate in a par- 
ticular domain; 

providing the printer with capability to operate 

in each of the plurality of domains; 

transmit ng an indication of the particular 

domain to the data center; 

encrypting the indication at the data center; 

transmit ng the encrypted indication to the 

printer; 

decrypting the encrypted indication at the 
printer; and 

using the indication to enable a respective 
domain in the printer corresponding to the par- 
ticular domain of the postage meter. 

5. The method of claim 4, comprising the step(s) of: 

transmiting an identifier uniquely associated 
with the postage meter from the postage meter 
to the data center; and 

using the postage meter unique identifier, veri- 
fying at the data center that the postage meter 
is a valid postage meter before transmitting the 
encrypted indication to the postage meter. 

6. The method of claim 5, comprising the step(s) of: 

transmitting an identifier uniquely associated 
with the printer from the printer to data center 
via the postage meter; 

encrypting the printer unique identifier at the 
data center; 

transmiting encrypted the printer unique identi- 
fier to printer via the postage meter; and 
decrypting the encrypted printer unique identi- 
fier at the printer and comparing the printer 
unique identifier which the printer transmitted 
to the printer unique identifier which the printer 
received to determine if there is a match before 
enabling the respective domain in the printer 
corresponding to the particular domain of the 
postage meter. 
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